This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
1
Installation and Upgrades / Re: zentyal-firewall 7.0.0 tries to call /sbin/iptables
« on: April 22, 2021, 10:30:04 am »
@Daniel I think we picked this up on the github issue (https://github.com/zentyal/zentyal/issues/2039)
for others - the problem was a failed upgrade script, which didn't create the symlink. Have a look at the discussion on github, but it seems that re-running the upgrade script again from the command line may resolve these issues.
for others - the problem was a failed upgrade script, which didn't create the symlink. Have a look at the discussion on github, but it seems that re-running the upgrade script again from the command line may resolve these issues.
2
Installation and Upgrades / Recovering from TKEY unacceptable and DNS-Samba problems (inc nsupdate errors)
« on: March 16, 2021, 07:05:39 pm »
After a very difficult upgrade from 6.2 to 7.0, I was facing a problem where Bind and Samba were not properly connected, so DNS updates between them failed (and ultimated disrupted replication between DCs because they DNS zones became incorrectly populated). Restarting the dns module and/or the samba module failed with errors.
I noted several things I need to check and fix, so I'll list them here to help anyone who comes down with the same problems.
A lot of the problems are because the user "bind" cannot access the "dns.keytab", but this is silently failing. You just see "TKEY is unacceptable" errors or "Update: REFUSED" errors.
Check the reference to the dns.key tab shown in /etc/bind/named.conf.options. It should be pointing to /var/lib/samba/private/dns.keytab
Check the access rights to the /var/lib/samba/private folder. It must be readable by "bind" (or "named") - you may have to
If that doesn't fix your problem, you can recreate the DNS update user, but you must follow all these steps
If there is a /var/lib/samba/private/dns.keytab file, delete it
use samba-tool to to delete any existing DNS update user -
add the newly created user to the DnsAdmins group -
Finally, if you're seeing errors relating to "nsupdate -l -t10 {filename}" check that you
Then you can check that things are working with
I hope this saves someone a day or so trying to work out why the DNS module is throwing errors in Zentyal.
I noted several things I need to check and fix, so I'll list them here to help anyone who comes down with the same problems.
A lot of the problems are because the user "bind" cannot access the "dns.keytab", but this is silently failing. You just see "TKEY is unacceptable" errors or "Update: REFUSED" errors.
Check the reference to the dns.key tab shown in /etc/bind/named.conf.options. It should be pointing to /var/lib/samba/private/dns.keytab
Check the access rights to the /var/lib/samba/private folder. It must be readable by "bind" (or "named") - you may have to
Code: [Select]
chmod o=rx /var/lib/samba/private
Check that the /var/lib/samba/private/dns.keytab file is set to group "bind" (or "named") and with permissions r-x. Permissions for other users should be --- (not allowed access)If that doesn't fix your problem, you can recreate the DNS update user, but you must follow all these steps
If there is a /var/lib/samba/private/dns.keytab file, delete it
use samba-tool to to delete any existing DNS update user -
Code: [Select]
sudo samba-tool user delete dns-{domain controller name}
follow this guide to recreate the user and keytab - https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Temporarily_Changing_the_DNS_Back_Endadd the newly created user to the DnsAdmins group -
Code: [Select]
sudo samba-tool group addmembers "DnsAdmins" dns-{domain controller name}
as above, check that dns.keytab is readable by the bind userFinally, if you're seeing errors relating to "nsupdate -l -t10 {filename}" check that you
- Have disabled IPv6 on the machine OR
- Have enabled bind to respond on IPv6. You'll need to copy /usr/share/zentyal/stubs/dns/bind9.mas to /etc/zentyal/stubs/bind9.mas and then edit that file to remove the "-4" from the OPTIONS line
Then you can check that things are working with
Code: [Select]
sudo samba_dnsupdate --verbose
andCode: [Select]
sudo nsupdate -l
then type "help" and "quit" to make sure it's connectedI hope this saves someone a day or so trying to work out why the DNS module is throwing errors in Zentyal.
3
Installation and Upgrades / Re: Zentyal 7: Invalid value for Default login shell: /usr/bin/bash ...
« on: March 16, 2021, 06:36:58 pm »
I had a similar problem after a upgrade from 6.2 to 7.0 aborted during the upgrade of Ubuntu from 18.04 to 20.04.
As a result, the release-upgrade script did not complete. That script has a line that creates a symlink between /bin/bash and /usr/bin/bash
https://github.com/zentyal/zentyal/blob/80eca4ab66374e2c7f662f9bd09dd1314dcacd8f/main/core/src/scripts/release-upgrade#L262
As a result, the release-upgrade script did not complete. That script has a line that creates a symlink between /bin/bash and /usr/bin/bash
https://github.com/zentyal/zentyal/blob/80eca4ab66374e2c7f662f9bd09dd1314dcacd8f/main/core/src/scripts/release-upgrade#L262
4
Installation and Upgrades / [FIX] FATAL: Could not connect to samba LDAP server: connect: Connection refused
« on: March 14, 2021, 07:47:41 pm »
I started to see this error in the Web Admin console when trying to access any of the Domain menu options.
The error was reported in /var/log/zental/zental.log as
After a great deal of debugging, I found this solution.
That fixed my problem
The error was reported in /var/log/zental/zental.log as
Code: [Select]
Ldap.pm:219 EBox::Ldap::safeConnect - FATAL: Could not connect to samba LDAP server: connect: Permission denied at FATAL: Could not connect to samba LDAP server: connect: Permission denied at /usr/share/perl5/EBox/Ldap.pm line 219
After a great deal of debugging, I found this solution.
- Zentyal makes its LDAP connection through a pipe at /var/lib/samba/private/ldapi_priv/ldapi
- The modules run as user ebox
- ldapi_priv is group "ebox"
- ldapi_priv/ldapi is a pipe, so read/writeable by all
- /var/lib/samba has permissions allowing any user to access
- in my situation, /var/lib/samba/private was owned root:root and only accessible by root
- therefore it seemed that user ebox could not access the ldapi pipe (defined in /usr/share/perl5/EBox/Ldap.pm)
Code: [Select]
sudo chgrp ebox private
sudo chown g=rwx private
That fixed my problem
5
Installation and Upgrades / zentyal-firewall 7.0.0 tries to call /sbin/iptables
« on: March 13, 2021, 09:02:39 pm »
Recent upgrade from 6.2.7 to 7.0 on Ubutnu
After upgrading I noticed that my iptables were blank and I had no routing through the server. Looking at the log, I could see that the firewall module was trying to manipulate iptables by referencing /sbin/iptables.
There wasn't an /sbin/iptables on my installation - its /usr/sbin/iptables
I "fixed" the problem by creating a symbolic link from /sbin/iptables to /usr/sbin/iptables and restarted the firewall. iptables then populated correctly and traffic flowed through the server.
After upgrading I noticed that my iptables were blank and I had no routing through the server. Looking at the log, I could see that the firewall module was trying to manipulate iptables by referencing /sbin/iptables.
There wasn't an /sbin/iptables on my installation - its /usr/sbin/iptables
I "fixed" the problem by creating a symbolic link from /sbin/iptables to /usr/sbin/iptables and restarted the firewall. iptables then populated correctly and traffic flowed through the server.
6
Email and Groupware / Re: Outgoing mail is rejected with invalid address format
« on: May 28, 2020, 02:02:01 pm »
Posting this so future readers can see the problem and the fix.
Samba 4.7.6 ignores the setting for "winbind use default domain" on the machine running the AD-DC.
That means all usernames are now in the format "DOMAIN\username" on the AD-DC machine - you'll also notice this logging into the Zentyal webadmin. This cannot be changed.
The fix I had to put in place:
Copy the postfix configuration stub into /etc/zentyal/stubs/mail if it doesn't already exist there.
Edit /etc/zentyal/stubs/mail/main.cf.mas to add this line
Create a file /etc/postfile/sender_canoncial with the content
Restart Zentyal Mail
This re-writes outbound usernames as "username", stripping the DOMAIN section.
You also have to create symlinks in /mail/var. For each mailbox "username", create a hard symlink to DOMAIN\username
Samba 4.7.6 ignores the setting for "winbind use default domain" on the machine running the AD-DC.
That means all usernames are now in the format "DOMAIN\username" on the AD-DC machine - you'll also notice this logging into the Zentyal webadmin. This cannot be changed.
The fix I had to put in place:
Copy the postfix configuration stub into /etc/zentyal/stubs/mail if it doesn't already exist there.
Code: [Select]
mkdir /etc/zentyal/stubs/mail
cp /usr/share/zental/stubs/mail/main.cf.mas /etc/zentyal/stubs/mail/
Edit /etc/zentyal/stubs/mail/main.cf.mas to add this line
Code: [Select]
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
Create a file /etc/postfile/sender_canoncial with the content
Code: [Select]
# remove DOMAIN segment of DOMAIN\username sender
/([A-Z]+)\\(.*)/ $2
Restart Zentyal Mail
Code: [Select]
sudo zs mail restart
This re-writes outbound usernames as "username", stripping the DOMAIN section.
You also have to create symlinks in /mail/var. For each mailbox "username", create a hard symlink to DOMAIN\username
Code: [Select]
cd /mail/var
sudo ln username "DOMAIN\username"
otherwise the mail command won't work for you users.7
Email and Groupware / Outgoing mail is rejected with invalid address format
« on: May 25, 2020, 11:01:27 pm »
Running Zentyal 6.2, Samba Active Directory enabled.
In smb.conf, these values are set
From the Linux command line on the server running Zentyal,
The mail is rejected by GMail with this error
If I send an email myself, I see TWO mailboxes in /var/mail
When I open mail to read mail, it says there is no mail for MYDOMAIN\myuser
If I cat the file of mydomain\myuser I can see the email
Looking in /var/log/mail.log I can see
So it seems that post fix is doing two things:
Any thoughts what I can do to resolve this?
In smb.conf, these values are set
Code: [Select]
workgroup = mydomain (in lower case)
realm = mydomain.com
From the Linux command line on the server running Zentyal,
Code: [Select]
MYDOMAIN\myuser@dc:\home\myuser$ mail touser@gmail.com
Subject: Test Email
Test Email
The mail is rejected by GMail with this error
Code: [Select]
: host aspmx.l.google.com[108.177.15.27] said: 553-5.1.7 The sender address <MYDOMAIN\myuser@dc.mydomain.com> is not a valid 553 5.1.7 RFC-5321 address.
If I send an email myself, I see TWO mailboxes in /var/mail
Code: [Select]
MYDOMAIN\myuser
mydomain\myuser
When I open mail to read mail, it says there is no mail for MYDOMAIN\myuser
If I cat the file of mydomain\myuser I can see the email
Looking in /var/log/mail.log I can see
Code: [Select]
postfix/pickup[29633]: 0532F1403E4: uid=1000 from=<MYDOMAIN\myuser>
So it seems that post fix is doing two things:
- Not removing the MYDOMAIN part of my username from the outbound "from address"
- Changing the reply back to all lowercase (including the mydomain section)
Any thoughts what I can do to resolve this?
8
Directory and Authentication / Re: Users with UID 1*** no longer visible in Zentyal 6.1
« on: May 23, 2020, 08:09:55 pm »
I'm having the same problem.
Why was this behaviour changed?
I don't want to have to renumber my users as presumably I'll have to change all their file ownership permissions in Linux to match the new numbers?
Why was this behaviour changed?
I don't want to have to renumber my users as presumably I'll have to change all their file ownership permissions in Linux to match the new numbers?
9
Directory and Authentication / Re: Zentyal 5.1 - getent group shows no users
« on: March 31, 2020, 02:21:25 pm »
That fixed the problem, thank you.
On my Backup Domain Control (BDC) - also running Zentyal 5.1, I additionally had to run
to get the users within the group to be visible.
On my Backup Domain Control (BDC) - also running Zentyal 5.1, I additionally had to run
Code: [Select]
sudo net cache flush
sudo smbcontrol winbind reload-config
to get the users within the group to be visible.
10
Directory and Authentication / [SOLVED] Zentyal 5.1 - getent group shows no users
« on: March 29, 2020, 06:32:47 pm »
I'm running Zentyal 5.1 with Samba 4.6.7 on Ubuntu 16.04.6 LTS
I have users and groups populated in Active Directory. I can use the Zentyal GUI to add a user to the "Domain Admins" group.
However querying the Domain Admin groups shows it as being empty:
Using samba-tool provides the correct answer:
My uid is 1000 (a legacy ID). The administrator uid is 2500. The zental-mail-dc2 uid is 3000031.
My smb.conf is autogenerated by Zentyal. There are no apparent errors in /var/log/samba/samba.log. I'm using only winbind (sssd is not installed on this box).
What can I do to correct this? It's stopping important functionality (like adding "Domain Admins" to the sudoers file) from working.
I have users and groups populated in Active Directory. I can use the Zentyal GUI to add a user to the "Domain Admins" group.
However querying the Domain Admin groups shows it as being empty:
Code: [Select]
> getent group
DOMAIN\domain admins:x:2512:
> wbinfo --group-info="Domain Admins"
DOMAIN\domain admins:x:2512:
Using samba-tool provides the correct answer:
Code: [Select]
> sudo samba-tool group listmembers "Domain Admins"
ldb_wrap open of secrets.ldb
nickpiggott
Administrator
zentyal-mail-dc2
My uid is 1000 (a legacy ID). The administrator uid is 2500. The zental-mail-dc2 uid is 3000031.
My smb.conf is autogenerated by Zentyal. There are no apparent errors in /var/log/samba/samba.log. I'm using only winbind (sssd is not installed on this box).
What can I do to correct this? It's stopping important functionality (like adding "Domain Admins" to the sudoers file) from working.
11
Directory and Authentication / Re: [SOLVED] Active Directory clients and user / group IDs
« on: September 09, 2019, 08:55:49 am »
I'm trying to create a harmonised experience for my users across a mixture of Microsoft Windows and Linux (Ubuntu) machines.
Using SMB to access files on the file server is a good experience in Windows (with automatic drive mapping at logon), but a poor experience on Linux. I'm preferring to use NFS for Linux workstations, using exports and mounting them natively, but to do that, the user and group ID numbers must be aligned across the whole network.
This configuration of SSSD on the workstations means the user id and group ids are the same on the workstation as the server, so access control is correctly applied across the NFS shares (and consistently in line with accessing the same files using SMB).
As a user, I don't notice any significant different between accessing my files using mapped drives in Windows or mounted in folders in Linux, which is my ambition.
Using SMB to access files on the file server is a good experience in Windows (with automatic drive mapping at logon), but a poor experience on Linux. I'm preferring to use NFS for Linux workstations, using exports and mounting them natively, but to do that, the user and group ID numbers must be aligned across the whole network.
This configuration of SSSD on the workstations means the user id and group ids are the same on the workstation as the server, so access control is correctly applied across the NFS shares (and consistently in line with accessing the same files using SMB).
As a user, I don't notice any significant different between accessing my files using mapped drives in Windows or mounted in folders in Linux, which is my ambition.
12
Directory and Authentication / Re: Active Directory clients and user / group IDs
« on: August 29, 2019, 12:26:02 pm »
I have found the solution.
1. Add in these lines into the relevant [domain] section of /etc/sssd/sssd.conf
You should not need to make any reference to winbind in smb.conf or idmap config in sssd.conf
1. Add in these lines into the relevant [domain] section of /etc/sssd/sssd.conf
Code: [Select]
id_provider = ad
access_provider = ad
ldap_id_mapping = false
enumerate = true
2. Stop SSSD with Code: [Select]
sudo systemctl stop sssd
3. Clear the SSSD cache withCode: [Select]
sudo rm -rf /var/lib/sss/db/*
4. Start SSSD againCode: [Select]
sudo systemctl start sssd
5. Verify that the native uidNumber and gidNumber are showingCode: [Select]
getent passwd
getent group
6. If the native ids are showing, edit the /etc/sssd/sssd.conf file to remove the enumerate = true line, and stop/start SSSD again.You should not need to make any reference to winbind in smb.conf or idmap config in sssd.conf
13
Directory and Authentication / [SOLVED] Active Directory clients and user / group IDs
« on: August 28, 2019, 08:59:41 pm »
I am running Zentyal 5.1, providing an Active Directory service. I can successfully join machines to the domain, and I have a number of users in the domain. They all have uidNumber and gidNumber entries in their LDAP records, and these are correctly mapped to the user ID and group IDs when the user logs into any of the Domain Controllers.
The server smb.conf contains
Problem: The user and group IDs that are allocated to users and groups are different when the user logs into a (non Domain Controller) machine joined to the domain.
Can anyone advise what I need to install and configure for the idmapping on the client machine to correctly use the uidNumber and gidNumber in the Active Directory?
I've followed a number of guides for enabling SSO with AD, and the official Samba guidance for idmap config ad. I can't find much documentation on how to use the idmap_ldb configuration on the client machine.
Thanks
The server smb.conf contains
Code: [Select]
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
Problem: The user and group IDs that are allocated to users and groups are different when the user logs into a (non Domain Controller) machine joined to the domain.
Can anyone advise what I need to install and configure for the idmapping on the client machine to correctly use the uidNumber and gidNumber in the Active Directory?
I've followed a number of guides for enabling SSO with AD, and the official Samba guidance for idmap config ad. I can't find much documentation on how to use the idmap_ldb configuration on the client machine.
Thanks
14
Other modules / Re: Local DNS and external Authoritative DNS - How to Configure?
« on: July 03, 2019, 11:59:51 am »
I've noticed that this question has been asked before, but apparently there isn't a solution yet?
15
Other modules / Local DNS and external Authoritative DNS - How to Configure?
« on: July 03, 2019, 09:21:00 am »
I'm using Zentyal 5.1, configured to provide an Active Directory.
That requires that I have a DNS server authoritative for my domain (domain.com) running on the Zentyal server. This is populated with the required DNS records for the domain controller (dc1.domain.com).
The true authoritative DNS server for the domain is hosted externally. All new DNS records for the domain are added to this external DNS server. For example, the A record for www.domain.com is hosted externally.
When I query DNS for www.domain.com locally, the request is passed to the DNS server running on Zentyal. The believes that it is the authoritative DNS server for the domain, and because there is no A record configured for www.domain.com on that DNS server, it returns an NX (not found) result.
Is there a way I can configure Zentyal / Samba / bind to forward requests for that zone to the specific external Authoritative nameserver for domain.com?
That requires that I have a DNS server authoritative for my domain (domain.com) running on the Zentyal server. This is populated with the required DNS records for the domain controller (dc1.domain.com).
The true authoritative DNS server for the domain is hosted externally. All new DNS records for the domain are added to this external DNS server. For example, the A record for www.domain.com is hosted externally.
When I query DNS for www.domain.com locally, the request is passed to the DNS server running on Zentyal. The believes that it is the authoritative DNS server for the domain, and because there is no A record configured for www.domain.com on that DNS server, it returns an NX (not found) result.
Is there a way I can configure Zentyal / Samba / bind to forward requests for that zone to the specific external Authoritative nameserver for domain.com?
Pages: [1] 2